About
The Executable and Linkable Format (ELF, formerly named Extensible Linking Format), is a object file format (executable files and shared libraries) used also for core dumps.
Articles Related
Format
The format of an ELF follows the structure of the object file format.
A program is divided into sections and uses principally the following:
- .text for code (read-only),
- .data for data (read-write),
- .bss for uninitialized data (read-write);
A program must have at least .text section.
Section
A section is a block of memory that contains either program code or data.
Section Type | executable by the CPU | Desc |
---|---|---|
code | yes | |
.data | no | for storing data |
.bss | no | for storing program data |
debug | no |
- Sections
# Header
fileName: file format elf64-x86-64
# Series of disassembled sections
Disassembly of section .interp:
...
Disassembly of section .note.ABI-tag:
...
Disassembly of section .note.gnu.build-id:
...
...
etc
- Row in section
# Row in section with three columns
4004d6: 55 push rbp
# Row in section with an optional fourth column for comment
lea r12,[rip+0x2008ee] # 600e10 <__frame_dummy_init_array_entry>
where:
- 0x4004d6 is the address of an assembly instruction.
- 0x55 is the assembly instruction in raw hex values.
- push %rbp is the assembly instruction in text values in a .text section (the assembly instructions are actual program code). In a .data section, this information is meaningless.
- An optional fourth column is a comment that appears when there is a reference to an address to inform where the address originates. Example: the referenced address from [rip+0x2008ee] is 0x600e10, where the variable __frame_dummy_init_array_entry resides.
Text Section
Example of text section with two functions:
- _start
- and deregister_tm_clones.
00000000004003e0 <_start>:
4003e0: 31 ed xor ebp,ebp
4003e2: 49 89 d1 mov r9,rdx
4003e5: 5e pop rsi
...more assembly code....
0000000000400410 <deregister_tm_clones>:
400410: b8 3f 10 60 00 mov eax,0x60103f
400415: 55 push rbp
400416: 48 2d 38 10 60 00 sub rax,0x601038
...more assembly code....
where:
- 00000000004003e0 <_start>: is the function name called a label (ie name of a memory address)
- right below the label is also the instruction at the same address 4003e0.
Management
See
- elfdump
- readelf